Key distribution method and system in secure broadcast communication

ABSTRACT

A key distribution method and system are disclosed in which a sender and receivers share a common key information for performing a secure broadcast communication. By use of a center side apparatus, a center generates key information of a receiver in association with a subset inclusive of two or more elements of a proper finite set S1 on the basis of a space determined by a subset inclusive of two or more elements of another finite set S2. A sender side apparatus, a sender makes the multi-address transmission of key distribution data W inclusive of data generated corresponding to each element of the finite set S1 and data generated corresponding to a set of plural receivers through a communication network. By use of a receiver side apparatus, a receiver generates common key information between the sender and the receiver from the key distribution data W and the key information of the receiver.

BACKGROUND OF THE INVENTION

The present invention relates to a key distribution method and system in secure broadcast communication.

Up to now, several methods have been proposed in regard to secure broadcast communication (or key management).

For example, a copied key method disclosed by S. J. Kent, "Security requirement and protocols for a broadcast scenario", IEEE Trans. Commun., COM-29, 6, pp. 778-786 (1981) is fundamental. The copied key method is the simple extension of the conventional one-to-one cryptographic individual communication to a multi-address communication. The copy of one kind of key is distributed to a sender and a plurality of normal receivers. The sender enciphers information by use of the copied key and transmits the enciphered information. The normal receiver deciphers the information by use of the same copied key.

The other methods include (i) a secure broadcast communication method disclosed by K. Koyama, "A Cryptosystem Using the Master Key for Multi-Address Communication", Trans. IEICE, J65-D, 9, pp. 1151-1158 (1982) which uses a master key alternative to RSA individual key, (ii) a key distribution system disclosed by Lee et al., "A Multi-Address Communication Using a Method of Multiplexing and Demultiplexing", the Proc. of the 1986 Symposium on Cryptography and Information Security, SCIS86 (1986) which is based on the multiplexing and demultiplexing of information trains using the Chinese reminder theorem, and (iii) a system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993).

According to the system for performing the multiplexing and demultiplexing of information trains by use of the Chinese reminder theorem, the following processes are performed.

(1) Key Generating Process

For a receiver i (1≦i≦r) are generated s coprime integers g₁, g₂, . . . , g_(s) (r≦s) and g_(i) is distributed to the receiver i as confidential information of the receiver i beforehand.

(2) Enciphering Process

It is assumed that s information trains to be multiplexed are M₁, M₂, . . . , M_(s). A sender calculates a multiplexed transmit sentence F in accordance with ##EQU1## and makes the multi-address transmission of F, wherein G, G_(i) and A_(i) are the least integer A_(i) which satisfies ##EQU2## G_(i) =G/g_(i), A_(i) G_(i) .tbd.1 (mod g_(i)).

(3) Deciphering Process

The receiver i demultiplexes M_(i) from F by use of g_(i) in accordance with

    M.sub.i =F mod g.sub.i

According to the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993), the following processes are performed.

(1) Key Generating Process

A reliable center generates the following information.

Confidential information:

P=2p+1,Q=2q+1:prime number (p,q:prime number)

e_(i) .di-elect cons.Z,0<e_(i) <L (1≦i≦m)

Public information:

g.di-elect cons.Z, 0<g<N

N=PQ

v_(i) =g^(ei) mod N (1≦i≦m).

The center calculates so satisfying ##EQU3## for σ .di-elect cons.S and distributes s.sub.σ as confidential information of a receiver U.sub.σ, wherein set S={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m>k}.

(2) Key Distribution Process

(i) A sender randomly selects an integer r to calculate

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦m)

with the object of sharing a common key

    K=g.sup.r mod N

in common with the receiver and makes the multi-address transmission of z_(i) (1≦i≦m).

(ii) The receiver U.sub.σ calculates the common key K in accordance with ##EQU4##

In the above-mentioned key distribution based on the multiplexing method using the Chinese reminder theorem, the length of key distribution data becomes large in proportion to the number of receivers since the key distribution data for individual users are transmitted in a serially arranged manner. This offers a problem from an aspect of efficiency in the case where several millions of receivers are made an object as in a broadcasting satellite service.

On the other hand, in the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993), the length of key distribution data can be reduced even in the case where the number of receivers is large. However, this system has a problem in security that if receivers conspire with each other, confidential information of another receiver can be calculated. Also, it is not possible to possess a key in common with only receivers which belong to any set of receivers.

SUMMARY OF THE INVENTION

Therefore, a principal object of the present invention is to provide a key distribution method and system for secure broadcast communication having the following features:

(1) receivers possess individual confidential key information to share a data enciphered key between the receivers;

(2) even in the case where the number of receivers is large, it is possible to reduce the length of key distribution data;

(3) even if receivers club their confidential information in conspiracy with each other, it is difficult to calculate key information of another receiver and confidential information of a key generator; and

(4) it is possible to possess the data enciphered key in common with only receivers which belong to any set of receivers.

To that end, a key generator generates a finite set S including a plurality of confidential information of the key generator and a finite set P including public information of the key generator, generates confidential key information s(x) of a receiver x from elements of a subset S_(x) of the confidential information S on a space determined by a subset V_(x) of the set S or P, and distributes the key information s(x) to the receiver x. A sender performs an operation of adding random numbers to elements in the public information corresponding to the elements of the set S and makes the multi-address transmission of a set R(P) including the elements which result from the operation. The receiver x selects a set R(P, x) of elements corresponding to S_(x) from R(P) to calculate a common key between the sender and the receiver from each element of R(P, x) and the confidential key information s(x). The common key corresponds to a data enciphered key.

According to a method for possessing a key in common with only receivers which belong to any set of receivers (in this case, a broadcasting station is a key generator and a sender), the broadcasting station generates confidential key information s(x) of a receiver x from a subset S_(x) of a finite set S including a plurality of elements and distributes the key information s(x) to the receiver x. The broadcasting station performs an operation of adding an arbitrarily selected random number to each element of a set P including values corresponding to the elements of the set S and makes the multi-address transmission of a set R(P) including the elements which result from the operation. The broadcasting station further transmits to only the limited receiver a value t(x) characteristic of the receiver x which corresponds to the confidential key information s(x) of the receiver x. The receiver x selects a set R(P, x) of elements corresponding to S_(x) from R(P) to calculate a common key between the broadcasting station and the receiver from the elements of R(P, x), the key information s(x) and the value t(x) of the receiver x.

In the following, mention will be made of a specific realizing example of a method in which the length of key distribution data is short even in the case of a large number of receivers and the security against the conspiracy attack of receivers is improved.

As a preparatory process, a key generator generates

P,Q:prime number

e_(i) .di-elect cons.Z,0<e_(i) <L=lcm (P-1, Q-1) (1≦i≦m)

as confidential information of the key generator and generates

N=PQ

g_(i) .di-elect cons.Z, 0<g_(i) <N (1≦j≦n)

u_(ij) =g_(i) ^(e).sbsp.i mod N (1≦i≦m, 1≦j≦n)

n=kl, k,l (>0).di-elect cons.Z

as public information of the key generator.

Further, the key generator calculates S_(x), (π,σ) =(S_(x),π.sbsb.1.sub.(1), . . . , S_(x),π.sbsb.1.sub.(h), . . . , S_(x),π.sbsb.l.sub.(1), . . . , S_(x), π.sbsb.l.sub.(h)) satisfying ##EQU5## for π=(π₁, . . . , π_(l)).di-elect cons.R_(k), n, σ=(σ₁, . . . , σ_(l)).di-elect cons.S_(k), n and distributes s_(x), (π,σ) as key information of a receiver x. Therein, ##EQU6##

Also, when σ=(σ₁, . . . , σ_(l)), σ'=(σ₁, . . . , σ_(l)).di-elect cons.S'_(k), n for set R_(k), n ={π=(π₁, . . . , π_(l))|one-to-one map π_(i) :{1, 2, . . . , h)→(1, 2, . . . , m}(1≦i≦l, 1≦h≦m)}, set S'_(k),n ={σ=(σ₁, . . . , σ_(l))|one-to-one map σ₁ :A={1, 2, . . . , k}→B={1, 2, . . . , n}(1≦i≦l), σ₁ (A)U . . . Uσ_(l) (A)=B}, a relation ##EQU7## is defined in regard to a proper permutation τ on a set {1, 2, . . . , l}. At this time, "˜" represents an equivalent relation on S'_(k),n and S_(k),n is S_(k),n =S'_(k),n /˜.

As a key distribution process,

(1) a sender randomly selects an integer r to calculate

    y.sub.ij =u.sub.ij.sup.τ mod N (1≦i≦m; 1≦j≦n)

from the public information with the object of sharing a common key K ##EQU8## and makes the multi-address transmission of y_(ij).

(2) The receiver x calculates the common key K in accordance with ##EQU9## wherein Z represents a set of the whole of integers, lcm(a,b) represents the lowest common multiple of integers a and b, and the least positive integer x satisfying g^(x) .tbd.1(mod N) for an integer N is represented by ord_(N) (g).

According to the key distribution method of the present invention, the length of key distribution data can be reduced even in the case where the number of receivers is large. Also, even if unfair receivers club their confidential information, it is difficult to perform irregular practices. Therefore, the data distribution can be performed with a high efficiency and a high security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing the construction of a system in first and second embodiments of the present invention;

FIG. 2 is a diagram showing the internal construction of a center side apparatus in the first and second embodiments of the present invention;

FIG. 3 is a diagram showing the internal construction of a sender side apparatus in the first and second embodiments of the present invention;

FIG. 4 is a diagram showing the internal construction of a receiver side apparatus in the first and second embodiments of the present invention;

FIG. 5 is a diagram showing the construction of a system in third, fourth and eighth embodiments of the present invention;

FIG. 6 is a diagram showing the internal construction of a sender side apparatus in the third, fourth and eighth embodiments of the present invention;

FIG. 7 is a diagram showing the internal construction of a receiver side apparatus in the third, fourth and eighth embodiments of the present invention;

FIG. 8 is a diagram showing the internal construction of a server in the third, fourth and eighth embodiments of the present invention;

FIG. 9 is a diagram showing the internal construction of an IC card in sixth and seventh embodiments of the present invention;

FIG. 10 is a diagram showing the outline of the third and fourth embodiments of the present invention; and

FIG. 11 is a diagram showing the basic scheme of reduction in key distribution data amount in the embodiments of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 11 is a diagram showing the basic scheme of reduction in key distribution data amount in the present invention.

According to FIG. 11, a key generator extracts k information from m confidential information a₁, a₂, . . . , a_(m) and generates confidential key information of a receiver from the extracted information. At this time, it is possible to obtain combinations the number of which is efficiently large as compared with the value of m. For example, when (m, k)=(30, 15), the keys of one hundred and fifty million of receivers can be generated.

The key generator opens public information b₁, b₂, . . . , b_(m) corresponding to the confidential information a₁, a₂, . . . , a_(m) to the public. A sender selects random numbers r and transmits information c₁, c₂, . . . , c_(m) obtained by applying the random numbers to the public information b₁, b₂, . . . , b_(m).

A receiver selects the same combination as that at the time of generation of the confidential information of the receiver from the information c₁, c₂, . . . , c_(m) to perform the calculation of a common key by use of the confidential information of the receiver.

Thereby, the mere transmission of m data makes it possible to possess the key in common with receivers the number of which is not larger than m!/(m-k)!k!.

[Description of Symbols]

Prior to the description of embodiments of the present invention, explanation will be made of some symbols used in the description.

Z represents a set of the whole of integers, and lcm(a,b) represents the lowest common multiple of integers a and b. Also, ord_(p) (g)=m for a prime number p and a positive integer g means that the least integer x>0 satisfying g^(x) .tbd.1(mod p) is m, and min {a₁, a₂, . . . , a_(n) } represents the least value in a₁, a₂, . . . , a_(n) (a_(i) .di-elect cons.Z).

(First Embodiment)

In a first embodiment, description will be made of a method in which a sender and a plurality of receivers share a common key information in order to perform a secure broadcast communication.

FIG. 1 is a diagram showing the construction of a system in the present embodiment. This system includes a center side apparatus 100, a sender side apparatus 200 and receiver side apparatuses 300.

FIG. 2 shows the internal construction of the center side apparatus 100. The center side apparatus 100 is provided with a random number generator 101, a prime number generator 102, an arithmetic unit 103, a power multiplier 104, a residue operator 105 and a memory 106.

FIG. 3 shows the internal construction of the sender side apparatus 200. The sender side apparatus 200 is provided with a random number generator 201, a power multiplier 202, a residue operator 203, a memory 204 and a communication unit 205.

FIG. 4 shows the internal construction of the receiver side apparatus 300. The receiver side apparatus 300 is provided with a communication unit 301, a power multiplier 302, a residue operator 303 and a memory 304.

1. Preparatory Process

A reliable center generates the following information by use of the random number generator 101, the prime number generator 102, the arithmetic unit 103, the power multiplier 104 and the residue operator 105 in the center side apparatus 100 shown in FIG. 2.

Confidential information:

P_(i), Q_(i) :prime number (1≦i≦m)

L_(i) =lcm (ord_(p).sbsb.i (g) ord_(Q).sbsb.i (g)) (1≦i≦m)

e_(i) .di-elect cons.Z.sub., 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)

Public information:

N_(i) =P_(i) Q_(i) (1≦i≦m)

g.di-elect cons.Z, 0<g<N ##EQU10## V_(i) =g^(h) i(e₁, . . . , e_(n)) mod N (1≦i≦M). The center opens only the public information to the public. The confidential information is stored into the memory 106.

Further, the center calculates S_(x), τ=(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)) satisfying ##EQU11## for σ_(x) .di-elect cons.S and τ.di-elect cons.T by use of the arithmetic unit 103 and the residue operator 105 in the center side apparatus 100 and distributes S_(x), τ as key information of a receiver x. Therein,

    L.sub.σ =lcm(L.sub.σ(1), L.sub.σ(2), . . . , L.sub.σ(k)).

Also, h_(i) (X₁, . . . X_(n))(1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z. For set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m>k}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as ##EQU12## and a quotient set of S' concerning "˜" is defined as S. Further, set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}.

Here, S_(x),τ is generated so as to satisfy the condition of a secure key that π_(x) ≠g for ##EQU13## 2. Key Distribution Process

(1) A sender randomly selects an integer r by use of the random number generator 201 in the sender side apparatus 200 shown in FIG. 3 to calculate a common key K by use of the power multiplier 202 and the residue operator 203 so that

    0<K=g.sup.r mod N, ##EQU14## is satisfied. K is stored into the memory 204. Further, the sender calculates

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦M)

with the object of possessing the key K in common with the receiver and makes the multi-address transmission of data W obtained by multiplexing z_(i) (1≦i≦M) by use of the communication unit 205 (in accordance with, for example, the multiplexing method using the Chinese reminder theorem mentioned in "BACKGROUND OF THE INVENTION"). The transmission is made through a communication network 400.

(2) The receiver side apparatus 300 (see FIG. 4) of the receiver x demultiplexes Z.sub.τ(i) (1≦i≦d) from the transmit data W by use of the communication unit 301 and uses the power multiplier 302 and the residue operator 303 to calculate the common key K from S_(x),τ and N in the memory 304 in accordance with ##EQU15## The calculated common key K is stored into the memory 304.

According to the present embodiment, a space for generating the key information of a receiver is changed for each receiver. (The space is determined by the value of L.sub.σx.) Therefore, the security against the conspiracy attack of receivers is improved as compared with that in the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993) mentioned in "BACKGROUND OF THE INVENTION".

(Second Embodiment)

In a second embodiment, description will be made of a method in which a sender and a plurality of receivers share a common key information in order to perform a secure broadcast communication.

The construction of a system is the same as that shown in FIG. 1 in conjunction with the first embodiment.

1. Preparatory Process

A reliable center generates the following information by use of the random number generator 101, the prime number generator 102, the arithmetic unit 103, the power multiplier 104 and the residue operator 105 in the center side apparatus 100 shown in FIG. 2.

Confidential information:

P_(i), Q_(i) :prime number (1≦i≦m)

e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)

Public information: ##EQU16## The center opens only the public information to the public. The confidential information is stored into the memory 106.

Further, the center calculates s.sub.σ.sbsb.x =((S.sub.σ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(k)), . . . (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,a.sub.(2), . . . , S.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU17## (1≦j≦a) for σ_(x) =(σ_(x),1, . . . , σ_(x),a).di-elect cons.S, σ'_(x) =(σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T by use of the arithmetic unit 103 and the residue operator 105 in the center side apparatus 100 and distributes S.sub.σ.sbsb.x and ##EQU18## as key information of a receiver x. Therein, ##EQU19##

Also, h_(i) (X₁, . . . , X_(n))(1≦i≦m) represents a monomial of X₁, . . . , X_(n) on Z. For set S'(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . Uσ_(a) (A)=B, M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)).di-elect cons.S'(M), a relation ##EQU20## is defined and a quotient set of S'(M) concerning "˜" is defined as S. Further, a quotient set of m=ad, S'(m) concerning "˜" is defined as T.

2. Key Distribution Process

(1) A sender randomly selects an integer r by use of the random number generator 201 in the sender side apparatus 200 shown in FIG. 3 to calculate a common key K ##EQU21## by use of the power multiplier 202 and the residue operator 203 and stores K into the memory 204. Further, the sender calculates

    W=(w.sub.ij), w.sub.ij =v.sub.ij.sup.r mod N(1≦i,j≦M)

with the object of possessing the key K in common with the receiver and makes the multi-address transmission of the data W through the communication network 400 by use of the communication unit 205.

(2) The receiver side apparatus 300 (see FIG. 4) of the receiver x, from the transmit data W received by the communication device 301 and by use of the power multiplier 302 and the residue operator 303, calculates the common key K from s.sub.σ.sbsb.x and N in the memory 304 in accordance with ##EQU22## wherein ##EQU23## The calculated common key K is stored into the memory 304.

In the second embodiment, one condition for generation of a secure key may be ##EQU24##

According to the second embodiment, a space for generating the key information of a receiver is changed for each receiver. (This space is determined by the value of L.sub.σ'.sbsb.x,1, . . . , L.sub.σ'.sbsb.x,a) Therefore, the security against the conspiracy attack of receivers is improved as compared with that in the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993) mentioned in "BACKGROUND OF THE INVENTION".

(Third Embodiment)

The present embodiment corresponds to the case where a limited secure broadcast communication method based on the key distribution method according to the first embodiment is applied to an information distribution service system using a satellite. Namely, a broadcast station makes the secure broadcast communication of information (including onerous data) such as multimedia information to receivers by use of a satellite and only receivers entitled to looking and listening (or receivers under agreement for the payment of counter values) can decipher transmit data.

FIG. 5 is a diagram showing the construction of a system in the present embodiment. This system includes a broadcasting station side apparatus 500, receiver side apparatuses 600 and servers 700.

FIG. 6 shows the internal construction of the broadcasting station side apparatus 500. The broadcasting station side apparatus 500 is provided with a random number generator 501, a prime number generator 502, an arithmetic unit 503, a power multiplier 504, a residue operator 505, a key generating unit 506, an enciphering/deciphering unit 507, a communication unit 508 and a memory 509.

FIG. 7 shows the internal construction of the receiver side apparatus 600. The receiver side apparatus 600 is provided with a memory 601, a power multiplier 602, a residue operator 603, an arithmetic unit 604, an authentication unit 605, a communication unit 606, a key generating unit 607, an enciphering/deciphering unit 608 and an IC card connection unit 609.

FIG. 8 shows the internal construction of the server 700. The server 700 is provided with a communication unit 701, an enciphering/deciphering unit 702, a memory 703, an authentication unit 704 and an accounting unit 705.

FIG. 9 shows the internal construction of an IC card 800 possessed by a receiver. The IC card 800 is provided with a memory 801, a power multiplier 802, a residue operator 803 and an authentication information generating unit 804.

FIG. 10 is a diagram showing the outline of transfer of information between the broadcasting station side apparatus 500, the receiver side apparatus 600 and the server 700.

A set R of receivers is R=U.sub.λ.di-elect cons.Λ R.sub.λ for a family {R.sub.λ }.sub.λ.di-elect cons.Λ of subsets and a server S.sub.λ is provided corresponding to each subset R.sub.λ.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator 501, the prime number generator 502, the arithmetic unit 503, the power multiplier 504 and the residue operator 505 in the broadcasting station side apparatus 500 and stores in the memory 509 (see FIG. 6).

Confidential information:

P_(i), Q_(i) :prime number (1≦i≦m)

L_(i) =lcm (ord_(p).sbsb.i (g), ord_(Q).sbsb.i (g)) (1≦i≦m)

e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)

Public information: ##EQU25## The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S_(x),τ =S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)) (S_(x),τ(i).di-elect cons.Z, 0<S_(x),τ(i) <L, τ.di-elect cons.T) by use of the random number generator 501 and distributes s_(x),τ as key information of a receiver x. Therein, h_(i) (X₁, . . . , X_(n))(1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z. Also, set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}.

The broadcasting station generates a random number r' (0≦r'≦L) for σ_(x) .di-elect cons.S by use of the random number generator 501 in the broadcasting station side apparatus 500 and calculates U_(x),τ =(U_(x),τ(1), U_(x),τ(2), . . . , U_(x),τ(d)) satisfying ##EQU26## by use of the arithmetic unit 503 and the residue operator 505, wherein

    L.sub.σ =l cm(L.sub.σ(1), L.sub.σ(2), . . . , L.sub.σ(k))(σ.di-elect cons.S).

Also, for set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m≧K}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as ##EQU27## and a quotient set of S' concerning "˜" is defined as S.

Here, s_(x),τ is generated so as to satisfy the condition of a secure key that π_(x) ≠g for ##EQU28## 2. Enciphering/Deciphering Process

(1) The broadcasting station randomly selects an integer r (0≦r≦L) by use of the random number generator 501 in the broadcasting station side apparatus 500 so that

    0<g.sup.rr' mod N, ##EQU29## is satisfied, and generates a data enciphered key K=f(g.sup.rr' mod N) by use of the power multiplier 504, the residue operator 505 and the key generating unit 506. Further, the broadcasting station calculates

    z.sub.i =v.sub.i.sup.r mod N(1≦i≦M)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit 507 and data W obtained by multiplexing z_(i) (1≦i≦M) by use of the communication unit 508 (in accordance with, for example, the multiplexing method using the Chinese reminder theorem mentioned in "BACKGROUND OF THE INVENTION"). Herein, f is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

    V.sub.λ ={u.sub.x,τ =(u.sub.x,τ(1), . . . , u.sub.x,τ(d))|x.di-elect cons.R.sub.λ }

for each λ.di-elect cons.Λ by use of the arithmetic unit 503 and the residue operator 505 in the broadcasting station side apparatus 500, obtains an enciphered sentence C.sub.λ =E(K(S.sub.λ):V.sub.λ) by enciphering V.sub.λ by a key K(S.sub.λ) by use of the enciphering/deciphering unit 507 and transmits C.sub.λ to the server 700 (S.sub.λ) by use of the communication unit 508. The key K(S.sub.λ) is shared between the broadcasting station and the server 700 (S.sub.λ) beforehand.

(2) In order to see the data P, a receiver x uses the communication unit 606 in the receiver side apparatus 600 shown in FIG. 7 to make access to a server 700 in an area to which the receiver belongs. And, the receiver uses the authentication unit 605 in the receiver side apparatus 600 (and the server 700 uses the authentication unit 704) to make the authentication by demonstrating the possession of the confidential information s_(x),τ. If the authentication is materialized, the server 700 transmits U_(x),τ =(U_(x),τ(1), U_(x),τ(2), . . . , U_(x),τ(k)) in the memory 703 to the receiver side apparatus 600 of the receiver x by use of the communication unit 701.

At this time, in the case where the data P is onerous, the server 700 performs a process for account to the receiver x by use of the accounting unit 705.

(3) The receiver side apparatus 600 of the receiver x calculates a data enciphered key K from S_(x),τ in the memory 601 by use of the power multiplier 602, the residue operator 603 and the key generating unit 607 in accordance with ##EQU30## and deciphers the data P from the enciphered sentence by use of the enciphering/deciphering unit 608.

Also, a method for authentication by the receiver x for the server 700 in the step (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver x does not know s_(x),τ.

In the following, a method using a signature as disclosed by RSA (R. L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signatures and public key cryptosystems", Commun. of the ACM, Vol. 21, No. 2, pp. 120-126 (1987)) will be mentioned as an example of the method for authentication by the receiver x for the server 700.

The broadcasting station distributes (y_(x), n_(x)) satisfying

    S'.sub.x y.sub.x .tbd.1(mod l cm(p.sub.x -1,q.sub.x -1)), n.sub.x =p.sub.x q.sub.x (p.sub.x,q.sub.x :prime number)

for each receiver x to a server 700 in an area to which the receiver belongs, wherein s'_(x) =π (s_(x),τ) for a function π opened to the public.

(i) The receiver x uses the authentication unit 605 in the receiver side apparatus 600 to generate a signature

    sgn.sub.x (h(W)=h(W).sup.s' x mox n.sub.x

for h(W) (0<h(W)<n_(x)) by use of a confidential key s'_(x), wherein W is the multi-address transmitted data and h is a one-way hash function which is public information. The generated signature is transmitted to the server 700 by use of the communication unit 606. The signature is transmitted together with a data name for which the looking and listening are desired.

(ii) The server 700 checks a relation of

    sgn.sub.x (h(W)).sup.y.sbsp.x .tbd.h(W)(mod n.sub.x)

by use of the authentication unit 704 and transmits u_(x),τ in the memory 703 to the receiver side apparatus 600 of the receiver x by use of the communication unit 701 if the relation is satisfied. At this time, in the case where the data desired by the receiver for the looking and listening is onerous, the server 700 performs a process for account to the receiver x by use of the accounting unit 705. Also, in the case where the receiver x possesses an IC card 800 having confidential information s'_(x) and connects the IC card 800 to the IC card connection unit 609 in the receiver side apparatus 600 to obtain data from the broadcasting station, the calculation by the receiver using the confidential information s'_(x) is performed using the authentication information generating unit 804 in the IC card 800 shown in FIG. 9. For instance, in the above example, the calculation of sgn_(x) (W) is performed using the authentication information generating unit 804 in the IC card 800.

According to the present embodiment, the identification of a set of receivers sharing a key is made by distributing u_(x),τ to only limited receivers. Thereby, the key distribution for a limited secure broadcast communication becomes possible.

(Fourth Embodiment)

The present embodiment corresponds to the case where a limited secure broadcast communication method based on the key distribution method according to the second embodiment is applied to an information distribution service system using a satellite. Namely, a broadcast station makes the secure broadcast communication of information (including onerous data) such as multimedia information to receivers by use of a satellite and only receivers entitled to looking and listening (or receivers under agreement for the payment of counter values) can decipher transmit data.

The construction of a system in the present embodiment is the same as that shown in FIG. 5 explained in conjunction with the third embodiment. FIGS. 6 to 10 are also applied to the present embodiment.

A set R of receivers is R=U.sub.λ.di-elect cons.Λ R.sub.λ for a family {R.sub.λ }.sub.λ.di-elect cons.Λ of subsets and a server S.sub.λ is provided corresponding to each subset R.sub.λ.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator 501, the prime number generator 502, the arithmetic unit 503, the power multiplier 504 and the residue operator 505 in the broadcasting station side apparatus 500 (see FIG. 6).

Confidential information:

P_(i), Q_(i) :prime number (1≦i≦m)

e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)

Public information: ##EQU31## The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S.sub.σ.sbsb.x =((S.sub.σ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(k)), . . . , (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,a.sub.(2), . . . , S.sub.σ.sbsb.x,a.sub.(k))) S.sub.σ.sbsb.x,1.sub.(i), . . . , S.sub.σ.sbsb.x,a.sub.(i), .di-elect cons.Z, 0<S_(x),τ(i) <L, σ_(x) =(σ_(x),1, . . . , σ_(x),a) .di-elect cons.S) by use of the random number generator 501 and distributes s.sub.σx together with ##EQU32## as key information of a receiver x. Therein, h_(i) (X₁, . . . , X_(n))(1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z. Also, for set S'(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . U.sub.σ.sbsb.a (A)=B, M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)) .di-elect cons.S'(M), a relation ##EQU33## is defined and a quotient set of S'(M) concerning "˜" is defined as S. Further, a quotient set of m=ad, S'(m) concerning "˜" is defined as T.

The broadcasting station generates a random number r' (0≦r'≦L) for σ_(x) =(σ_(x),1, . . . , σ_(x),a)) .di-elect cons.S, σ'_(x) =(σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T by use of the random number generator 501 in the broadcasting station side apparatus 500 and calculates u.sub.σ.sbsb.x =((u.sub.σ.sbsb.x,1.sub.(1), u.sub.σ.sbsb.x,1.sub.(2), . . . , u.sub.σ.sbsb.x,1.sub.(1)), . . . , (u.sub.σ.sbsb.x,a.sub.(1), u.sub.σ.sbsb.x,a.sub.(2), . . . , u.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU34## by use of the arithmetic unit 503 and the residue operator 505, wherein L satisfies (i=1, . . . , a). ##EQU35## 2. Enciphering/Deciphering Process

(1) The broadcasting station randomly selects an integer r (0≦r≦L) by use of the random number generator 501 in the broadcasting station side apparatus 500 so that ##EQU36## is satisfied, and generates a data enciphered key K=f(g₁ g₂ . . . g_(M))^(rr') mod N) by use of the power multiplier 504, the residue operator 505 and the key generating unit 506. Further, the broadcasting station calculates

    W=(w.sub.ij), w.sub.ij =v.sub.ij.sup.r mod N (1≦i,j≦M)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit 507 and the data W. Therein, f is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

    V.sub.λ ={u.sub.σ.sbsb.x |x.di-elect cons.R.sub.λ }

for each λ.di-elect cons.Λ by use of the arithmetic unit 503 and the residue operator 505 in the broadcasting station side apparatus 500, obtains an enciphered sentence C.sub.λ =E(K(S.sub.λ):V.sub.λ) by enciphering V.sub.λ by a key K(S.sub.λ) by use of the enciphering/deciphering unit 507 and transmits C.sub.λ to the server 700 (S.sub.λ) by use of the communication unit 508. The key K(S.sub.λ) is shared between the broadcasting station and the server 700 (S.sub.λ) beforehand.

(2) In order to see the data P, a receiver x uses the communication unit 606 in the receiver side apparatus 600 (see FIG. 7) to make access to a server 700 in an area to which the receiver belongs. And, the receiver uses the authentication unit 605 in the receiver side apparatus 600 (and the server 700 uses the authentication unit 704) to make the authentication by demonstrating the possession of the confidential information s.sub.σ.sbsb.x. If the authentication is materialized, the server 700 transmits u.sub.σ.sbsb.x in the memory 703 to the receiver side apparatus 600 of the receiver x by use of the communication unit 701.

At this time, in the case where the data P is onerous, the server 700 performs a process for account to the receiver x by use of the accounting unit 705.

(3) The receiver side apparatus 600 of the receiver x calculates a data enciphered key K from s.sub.σ.sbsb.x in the memory 601 by use of the power multiplier 602, the residue operator 603 and the key generating unit 607 in accordance with ##EQU37## and deciphers the data P from the enciphered sentence C by use of the enciphering/deciphering unit 608, wherein ##EQU38##

Like the third embodiment, a method for authentication by the receiver x for the server 700 in (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver x does not know s.sub.σ.sbsb.x.

In the fourth embodiment, one condition for generation of a secure key may be ##EQU39##

According to the present embodiment, the identification of a set of receivers sharing a key is made by distributing u.sub.σ.sbsb.x to only limited receivers. Thereby, the key distribution for a limited secure broadcast communication becomes possible.

(Fifth Embodiment)

In a fifth embodiment, the data enciphered key K in the third and fourth embodiments is updated by changing the value of r in the data enciphered key K=f(g^(rr') mod N) for each short time period.

Further, the identification of transmit data subjected to multi-address transmission by a broadcasting station is made by taking a value characteristic of transmit data as the value of r'. Namely, information u_(x),τ (or u.sub.σ.sbsb.x) obtained by a receiver x from a server 700 in order to looking and listening certain broadcast data is characteristic of that broadcast data information and it is necessary to obtain another information u'_(x),τ (or u'.sub.σ.sbsb.x) from the server 700 in order to look and listen another broadcast data. Thereby, the identification of broadcast data subjected to an accounting process is made.

(Sixth Embodiment)

In the present embodiment, description will be made of a method in which in the case where in the third embodiment the receiver possesses an IC card 800 (see FIG. 9) having key information and connects the IC card 800 to the IC card connection unit 609 in the receiver side apparatus 600 (see FIG. 7) to obtain data from the broadcasting station, the calculation of ##EQU40## by the receiver x in the step (3) of the enciphering/deciphering process in the third embodiment is performed with a high efficiency.

The receiver side apparatus 600 (see FIG. 7) calculates

    ξ.sub.x,τ(i) =z.sub.τ(i).sup.u x,τ(i) mod N (1≦i≦d)

by use of the residue operator 603 and the arithmetic unit 604 and outputs ξ_(x),τ(i) (1≦i≦d) to the IC card 800 (see FIG. 9).

The IC card 800 calculates

    η.sub.x,τ(i) =.sub.ξx,τ(i).sup.s x,τ(i) mod N (1≦i≦d)

by use of the power multiplier 802 and the residue operator 803 and outputs η_(x),τ(i) (1≦i≦d) to the receiver side apparatus 600.

The receiver side apparatus 600 calculates ##EQU41## by use of the power multiplier 602, the residue operator 603 and the arithmetic unit 604.

(Seventh Embodiment)

The present embodiment is an example in which in the case where in the fourth embodiment the receiver x possesses an IC card 800 (see FIG. 9) having key information and connects the IC card 800 to the IC card connection unit 609 in the receiver side apparatus 600 (see FIG. 7) to obtain data from the broadcasting station, means for improving the efficiency of the calculation of the data enciphered key in the step (3) of the enciphering/deciphering process in the fourth embodiment is provided as in the sixth embodiment. Namely, a processing for calculation using confidential information is performed in the IC card 800 while a processing for calculation using no confidential information is performed in the receiver side apparatus 600.

(Eighth Embodiment)

The present embodiment corresponds to a specific case of the fourth embodiment.

A set R of receivers is R=U.sub.λ.di-elect cons.Λ R.sub.λ for a family {R.sub.λ }.sub.λ.di-elect cons.Λ of subsets and a server S.sub.λ is provided corresponding to each subset R.sub.λ.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator 501, the prime number generator 502, the arithmetic unit 503, the power multiplier 504 and the residue operator 505 in the broadcasting station side apparatus 500 (see FIG. 6).

Confidential information:

P, Q:prime number

e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (P-1, Q-1) (1≦i≦m)

Public information:

N=PQ

The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S_(x)(π,σ) =(S_(x),π.sbsb.1.sub.(1), . . . , S_(x),π.sbsb.1.sub.(h), . . . , S_(x),π.sbsb.l.sub.(1), . . . , S_(x),π.sbsb.l.sub.(h)) by use of the random number generator 501 and distributes s_(x),(π,σ) as key information of a receiver x. The broadcasting station generates a random number r' (0≦r'≦L) for π=(π₁, . . . , π_(l)) .di-elect cons.R_(k),n, σ=(σ₁, . . . , σ_(l)) .di-elect cons.S_(k),n by use of the random number generator 501 in the broadcasting station side apparatus 500 and calculates r_(x),(π,σ) =(r_(x),π.sbsb.1.sub.(1), . . . , r_(x),π.sbsb.1.sub.(h), . . . , r_(x)π.sbsb.l.sub.(1), . . . , r_(x),π.sbsb.l.sub.(h)) satisfying ##EQU42## by use of the arithmetic unit 503 and the residue operator 505. Therein, L.sub.σ.sbsb.i satisfies ##EQU43## Also, when σ=(σ₁, . . . , σ_(l)), σ'=(σ'₁, . . . , σ'_(l)) .di-elect cons.S'_(k),n for n=kl, set R_(k),n ={π=(π₁, . . . , π_(l))|one-to-one map π_(i) :{1, 2, . . . , h}→{1, 2, . . . , m}(1≦i≦l,1≦h≦m)}, set S'_(k),n ={σ=(σ₁, . . . , σ_(l))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , n}(1≦i≦l), σ₁ (A)U . . . Uσ_(l) (A)=B}, a relation ##EQU44## is defined in regard to proper permutation τ on a set {1, 2, . . . , l}. At this time, "˜" represents an equivalent relation on S'_(k),n and S_(kn) is S_(k),n =S'_(k),n /˜.

2. Enciphering/Deciphering Process

(1) The broadcasting station randomly selects an integer r (0≦r≦L) by use of the random number generator 501 in the broadcasting station side apparatus 500 to generate a data enciphered key K=f(g₁ g₂ -g_(n))^(rr') mod N) by use of the power multiplier 504, the residue operator 505 and the key generating unit 506. Further, the broadcasting station calculates

    W=(y.sub.ij), y.sub.ij =u.sub.ij.sup.r mod N (1≦iμm, 1≦j≦n)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit 507 and the data W. Therein, f is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

    V.sub.λ ={r.sub.x,(π,σ) |x.di-elect cons.R.sub.λ }

for each λ.di-elect cons.Λ by use of the arithmetic unit 503 and the residue operator 505 in the broadcasting station side apparatus 500, obtains an enciphered sentence C.sub.λ =E(K(S.sub.λ):V.sub.λ) by enciphering V.sub.λ by a key K(S.sub.λ) by use of the enciphering/deciphering unit 507 and transmits C.sub.λ to the server 700 (S.sub.λ) by use of the communication unit 508. The key K(S.sub.λ) is shared between the broadcasting station and the server 700 (S.sub.λ) beforehand.

(2) In order to see the data P, a receiver x uses the communication unit 606 in the receiver side apparatus 600 to make access to a server 700 (see FIG. 8) in an area to which the receiver belongs. And, the receiver uses the authentication unit 605 in the receiver side apparatus 600 (and the server 700 uses the authentication unit 704) to make the authentication by demonstrating the possession of the confidential information s.sub.σ. If the authentication is materialized, the server 700 transmits r_(x),(π,σ) in the memory 703 to the receiver side apparatus 600 of the receiver x by use of the communication unit 701.

At this time, in the case where the data P is onerous, the server 700 performs a process for account to the receiver K by use of the accounting unit 705.

(3) The receiver side apparatus 600 of the receiver x calculates a data enciphered key K from s_(x),(π,σ) in the memory 601 by use of the power multiplier 602, the residue operator 603 and the key generating unit 607 in accordance with ##EQU45## and deciphers the data P from the enciphered sentence C by use of the enciphering/deciphering unit 608.

Like the third embodiment, a method for authentication by the receiver x for the server 700 in (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver x does not know s_(x),(π,σ).

The present invention is applicable to a multi-channel broadcasting satellite digital communication system, a TV conference system using a satellite, a CATV, a multi-media information distribution system, and so forth.

Accordingly, the present invention is not limited to the disclosed embodiments and includes various modifications in the scope of claims. 

We claim:
 1. A key distribution system in which a sender and a plurality of receivers use individual key information generated beforehand by a key generator to share a common key information for performing a secure broadcast communication, wherein(i) the key generator side is provided with:means for generating confidential information of a receiver in association with a subset inclusive of at least two elements of a first finite set S1 on the basis of a space determined by a subset inclusive of at least two elements of a second finite set S2; and means for distributing said confidential information to the receiver, (ii) the sender side is provided with:means for generating key distribution data corresponding to each element of said first finite set S1; and communication means for making the multi-address transmission of said key distribution data, and (iii) the receiver side is provided with:storage means for storing said confidential information beforehand; and means for calculating common key information K between the sender and the receiver from the stored confidential information for each receiver and the key distribution data.
 2. A key distribution system in a limited secure broadcast communication in which a broadcasting station as a sender communicates with only receivers limited beforehand from among a plurality of receivers, wherein(i) the sender side is provided with:means for generating confidential information of a receiver in association with a subset inclusive of at least two elements of a finite set S; means for distributing said confidential information to the receiver; means for generating key distribution data corresponding to each element of said finite set S; communication means for making the multi-address transmission of said key distribution data; means for generating individual information for each receiver to be transmitted to only said limited receivers; and communication means for transmitting said individual information for each limited receiver x, and (ii) the receiver x side is provided with:means for storing said confidential information; and means for calculating common key information K between the sender side and the receiver from said confidential information s_(x) for each receiver distributed by said sender side, said key distribution data and said individual information.
 3. A key distribution system according to claim 2, wherein said sender side is further provided wilt means for changing said key distribution data to change the value of said common key.
 4. A key distribution system according to claim 2, wherein said receiver x side is provided with authentication means for making the authentication for the sender side by use of said confidential information s_(x) in the case where transmit data is onerous indicating that a fee is charged, and said sender side is provided with communication means for transmitting said individual information V_(x) if the authentication requested from the receiver side is materialized.
 5. A key distribution system according to claim 1, wherein(i) said key generator side comprises:means for generatingP_(i), Q_(i) :prime number (1≦i≦m) L_(i) =lcm(ord_(p).sbsb.i (g), ord_(Q).sbsb.i (g)) (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the key generator; means for generatingN_(i) =P_(i) Q_(i) (1≦i≦m) g.di-elect cons.Z, 0<g<N ##EQU46## as public information of the key generator; storage means for storing said confidential information and said public information; means for acquiring key information of the key generator for σ_(x) .di-elect cons.S and τ.di-elect cons.T from said storage means to calculate S_(x),τ =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d) satisfying ##EQU47## means for distributing s_(x),τ as key information of the receiver x, wherein L.sub.σ =lcm(L.sub.σ(1), L.sub.σ(2), . . . , L.sub.σ(k)) (σ.di-elect cons.S); h₁ (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m>K}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as ##EQU48## and a quotient set of S' concerning "˜" is defined as S; and set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}; means for randomly selecting for any receiver x an integer r which satisfies

    0<K=g.sup.r mod N, ##EQU49## means for calculating

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦M)

as broadcast communication data from the public information of the key generator with the object of possessing K as a common key; and communication means for making the multi-address transmission of said broadcast communication data, wherein ##EQU50## and (ii) said receiver x side comprises: means for calculating the common key K from said broadcast communication data and said confidential information S_(x),τ =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)) of the receiver x distributed by the key generator in accordance with ##EQU51## and wherein Z represents a set of the whole of integers;lcm(a,b) represents the lowest common multiple of integers a and b, ord_(p) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod p); and min {a₁, a₂, . . . , a_(n) } represents the least value in a₁, a₂, . . . , a_(n) (a_(i) .di-elect cons.Z).
 6. A key distribution system according to claim 1, 10 wherein(i) said key generator side comprises:means for generatingP_(i), Q_(i) :prime number (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the key generator; means for generatingN_(i) =P_(i) Q_(i) (1≦i≦m) g_(i) .di-elect cons.Z, 0<g_(i) <N (1≦i≦M) ##EQU52## V=(v_(ij)), v_(ij) =g_(i) ^(h) j.sup.(e.sbsp.1.sup., . . . , e.sbsp.n.sup.) mod N (1≦i,j≦M),as public information of the key generator; storage means for storing said confidential information and said public information; means for acquiring key information of the key generator for σ_(x) =(σ_(x),1, . . . , σ_(x),a) .di-elect cons.S, σ'_(x) =(σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T from said storage means to calculate S.sub.σ.sbsb.x =((Sσ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(k)), . . . , (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,a.sub.(2), . . . , S.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU53## means for distributing s.sub.σ.sbsb.x and ##EQU54## as key information of the receiver x, wherein ##EQU55## (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S'(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . Uσ_(a) (A)=B, M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)) .di-elect cons.S' (M), a relation of ##EQU56## is defined and a quotient set of S'(M) concerning "˜" is defined as S; and a quotient set of m=ad, S'(m) concerning "˜" is defined as T; means for randomly selecting for any receiver x an integer r which satisfies ##EQU57## means for calculating broadcast communication data

    W=(w.sub.ij), w.sub.ij =v.sub.ij.sup.r mod N (1≦i,j≦M)

from the public information of the key generator with the object of possessing K as a common key; and communication means for making the multi-address transmission of said broadcast communication data, and (ii) said receiver x side comprises:means for calculating the common key K from said broadcast communication data and said confidential information S.sub.σ.sbsb.x of the receiver x distributed by the key generator in accordance with ##EQU58## wherein ##EQU59## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 7. A key distribution system according to claim 2, wherein(i) said broadcasting station side comprises:means for generatingP_(i), Q_(i) :prime number (1≦i≦m) L_(i) =lcm(ord_(p).sbsb.i (g), ord_(Q).sbsb.i (g)) (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the broadcasting station; means for generating ##EQU60## as public information of the broadcasting station; storage means for storing said confidential information and said public information; means for generating random numbers r' (0<r'<L); means for acquiring key information of the broadcasting station for σ_(x) .di-elect cons.S and τ.di-elect cons.T from said storage means to calculate S_(x),τ =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)), U_(x),τ =(U_(x),τ(1), U_(x),τ(2), . . . , U_(x),τd)) satisfying ##EQU61## means for distributing s_(x),τ as key information of the receiver x, wherein L.sub.σ =lcm (L.sub.σ(1), L.sub.σ(2), . . . , L.sub.σ(k)) (σ.di-elect cons.S); h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m), m≧K}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as σ₁ ˜σ₂ ##EQU62## and a quotient set of S' concerning "˜" is defined as S; and set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}; means for randomly selecting for any receiver x an integer r (0≦r≦L) which satisfies < K=g^(rr') mod N, ##EQU63## means for acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦M)

with the object of sharing a key K in common with the limited receivers; communication means for making the multi-address transmission of z_(i) (1≦i≦M), wherein ##EQU64## and communication means for transmitting u_(x),τ =(u_(x),τ(1), u_(x),τ(2), . . . , u_(x),τ(d)) to the limited receivers, and (ii) said receiver x side comprises: means for calculating the common key K from the broadcast communication data, said confidential information s_(x),τ the receiver x distributed by the broadcasting station and u_(x),τ in accordance with ##EQU65## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(p) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod p).
 8. A key distribution system according to claim 2, wherein(i) said broadcasting station side comprises:means for generatingP_(i), Q_(i) :prime number (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the broadcasting station; means for generatingN_(i) =P_(i) Q_(i) (1≦i≦m) g_(i) .di-elect cons.Z, 0<g_(i) <N (1≦i≦M) ##EQU66## V=(v_(ij)), v_(ij) =g_(i) ^(h) j.sup.(e.sbsp.1, . . . , e.sbsp.n) mod N (1≦i,j≦M)as public information of the broadcasting station; storage means for storing said confidential information and said public information of the broadcasting station; means for generating random numbers r' (0<r'<L); means for acquiring key information of the broadcasting station for σ_(x) =(σ_(x),1, . . . , σ_(x),a) .di-elect cons.S, σ'_(x) =(σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T from said storage means of said broadcasting station side to calculate S.sub.σ.sbsb.x =((S.sub.σ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(1)), . . . , (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,a.sub.(2), . . . , S.sub.σ.sbsb.x,a.sub.(k))), U.sub.σ.sbsb.x =((U.sub.σ.sbsb.x,1.sub.(1), U.sub.σ.sbsb.x,1.sub.(2), . . . , U.sub.σ.sbsb.x,1.sub.(k)), U.sub.σ.sbsb.x,a.sub.(1), U.sub.σ.sbsb.x,a.sub.(2), . . . , U.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU67## means for distributing s_(x),τ and ##EQU68## as key information of the receiver x, wherein ##EQU69## h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . Uσ_(a) (A)=(B), M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)) .di-elect cons.S(M), a relation of ##EQU70## . . . , σ_(a) (A)}={σ'₁ (A), . . . , σ'_(a) (A)} is defined and a quotient set of S(M) concerning "˜" is defined as S; and a quotient set of m=ad, S(m) concerning "˜" is defined as T; means for randomly selecting for any receiver x an integer r (0≦r≦L) which satisfies ##EQU71## (i=1, . . . a) means for acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    W=(w.sub.ij), w.sub.ij =v.sub.ij =ij.sup.r mod N (1≦i,j≦M)

with the object of sharing a key K in common with the limited receivers; communication means for making the multi-address transmission of W; and communication means for transmitting U.sub.σ.sbsb.x =((u.sub.σ.sbsb.x,1.sub.(1), u.sub.σ.sbsb.x,1.sub.(2), . . . , u.sub.σ.sbsb.x,1.sub.(k)), . . . , (u.sub.σ.sbsb.x,a.sub.(1), u.sub.σ.sbsb.x,a.sub.(2), . . . , u.sub.σ.sbsb.x,a.sub.(k))) to the limited receivers; and (ii) said receiver x side comprises:means for calculating the common key K from the broadcast communication data, said confidential information s.sub.σ.sbsb.x of the receiver x distributed by the broadcasting station and u.sub.σ.sbsb.x in accordance with ##EQU72## wherein ##EQU73## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 9. A key distribution system according to claim 5, wherein said key generator side further comprises means for selecting the key information s_(x),τ of the receiver x to satisfy a condition of

    π.sub.x ≠g

for any receiver x.
 10. A key distribution system according to claim 6, wherein said key generator side further comprises means for selecting the key information s.sub.σ.sbsb.x of the receiver x to satisfy so that ##EQU74## is satisfied.
 11. A key distribution system according to claim 8, wherein said broadcasting station side further comprises means for selecting the key information s.sub.σx of the receiver x to satisfy so that ##EQU75## is satisfied.
 12. A key distribution system according to claim 7, wherein said broadcasting station side further comprises means for changing the value of the common key K by changing the value of r of the common key K=g^(rr') mod N.
 13. A key distribution system according to claim 7, wherein said broadcasting station side further comprises means for identifying transmit data by taking the value of r' of the common key K=g^(rr') mod N as a value characteristic of the transmit data.
 14. A key distribution system according to claim 7, wherein the limited receiver x side comprises authentication means for making the authentication for the broadcasting station side by use of the confidential information s_(x),τ and means for receiving u_(x),τ after the authentication is made by said authentication means, and wherein the broadcasting station side comprises accounting means by which in the case where data P enciphered using the common key K is onerous indicating that a fee is charged, a process for account of a charge for P to the receiver x is performed.
 15. A key distribution system according to claim 7, wherein in the case where the receiver x possesses a storage medium with a computing function having the confidential key s_(x),τ and connects said storage medium to a receiving unit having a higher computing function to calculate the common key ##EQU76## said receiving unit comprises: means for performing the calculation of

    ξ.sub.x'τ(i) =z.sub.τ(i).sup.u.sbsp.x,τ(i) mod N (1≦i≦d);

means for outputting ξ_(x),τ(i) (1≦i≦d) to said storage medium; and means for performing the calculation of ##EQU77## on the basis of information from said storage medium, and said storage medium comprises: means for performing the calculation of

    η.sub.x,τ(i) =ξ.sub.x,τ(i).sup.s x,τ(i) mod N (1≦i≦d)

on the basis of information from said receiving unit; and means for outputting η_(x),τ(i) (1≦i≦d) to said receiving unit.
 16. A key distribution system according to claim 8, wherein in the case where the receiver x possesses a storage medium with a computing function having the confidential key s.sub.σ.sbsb.x and connects said storage medium to a receiving unit having a higher computing function to calculate the common key K, said storage medium comprises means for performing a calculation using confidential information, and said receiving unit comprises means for means for performing a calculation using no confidential information.
 17. A key distribution system according to claim 2, wherein(i) said broadcasting station side comprises:means for generatingP_(i), Q_(i) :prime number e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(P-1, Q-1) (1≦i≦m)as confidential information of the broadcasting station; means for generatingN=PQas public information of the broadcasting station; storage means for storing said confidential information and said public information; means for generating random numbers r .di-elect cons.Z, π=(π₁, . . . , π_(l)) .di-elect cons.R_(k),n ; means for acquiring key information of the broadcasting station for σ=(σ₁, . . . , σ_(l)) .di-elect cons.S_(k),n from said storage means of said broadcasting station side to calculate S_(x),τ(π,σ) =(S_(x),π.sbsb.1.sub.(1), . . . , S_(x),π.sbsb.1.sub.(h), . . . , S_(x),π.sbsb.l.sub.(1), . . . , S_(x),π.sbsb.l.sub.(h)), r_(x),(π,σ) =(r_(x),π.sbsb.1.sub.(1), . . . , r_(x),π.sbsb.1.sub.(h), . . . , r_(x),π.sbsb.l.sub.(1), . . . , r_(x),π.sbsb.l.sub.(h)) satisfying ##EQU78## means for distributing s_(x),(π,σ) as key information of the receiver x, wherein ##EQU79## when σ=(σ(σ₁, . . . , σ_(l)), (σ'₁, . . . , σ'_(l)), .di-elect cons.S'_(k),n for n=kl, set R_(k),n ={π=(π₁, . . . , π_(l))|one-to-one map π_(i) :{1, 2, . . . , h}→{1, 2, . . . , m}(1≦i≦l,1≦h≦m)}, set S'_(k),n ={σ=(σ₁, . . . , σ_(l))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , n}(1≧i≧l), σ₁ (A) U . . . Uσ_(l) (A)=B}, a relation of ##EQU80## is defined in regard to proper permutation τ on a set {1, 2, . . . , l}, "˜" representing an equivalent relation on S and S'_(k),n being S_(k),n =S'_(k),n /˜; means for randomly selecting r.di-elect cons.Z for g_(i) .di-elect cons.Z (0<g_(i) <N, 1≦i≦n=kl) in said storage means of said broadcasting station side; means for calculating ##EQU81## means for acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    y.sub.ij =u.sub.ij.sup.r mod N (1≦i≦m, 1≦j≦n)

with the object of sharing a key K in common with only the limited receivers; means for making the multi-address transmission of y_(ij) (1≦i≦m, 1≦j≦n); and means for transmitting r_(x),(π,σ) =(r_(x),π.sbsb.1.sub.(1), . . . , r_(x),π.sbsb.1.sub.(h), . . . , r_(x),π.sbsb.l.sub.(1), . . . , r_(x),π.sbsb.l.sub.(h)) to the limited receivers x, and (ii) said receiver x side comprises:means for calculating the common key K from the broadcast communication data, said confidential information s_(x),(π,σ) of the receiver x distributed by the broadcasting station and r_(x),(π,σ) in accordance with ##EQU82## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least positive integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 18. A key distribution system according to claim 7, wherein said broadcasting station side further comprises means for selecting the key information s_(x),τ of the receiver x to satisfy a condition of

    π.sub.x ≠g

for any receiver x.
 19. A key distribution system according to claim 8, wherein said broadcasting station side further comprises means for changing the value of the common key K by changing the value of r of the common key K=g^(rr') mod N.
 20. A key distribution system according to claim 8, wherein said broadcasting station side further comprises means for identifying transmit data by taking the value of r' of the common key K=g^(rr') mod N as a value characteristic of the transmit data.
 21. A key distribution system according to claim 8, wherein the limited receiver x side comprises authentication means for making the authentication for the broadcasting station side by use of the confidential information s.sub.σx' and means for receiving u.sub.σx, after the authentication is made by said authentication means, and wherein the broadcasting station side comprises accounting means by which in the case where data P enciphered using the common key K is onerous indicating that a fee is charged, a process for account of a charge for P to the receiver x is performed.
 22. A key distribution method in which a sender and a plurality of receivers use individual key information generated beforehand by a key generator to share a common key information for performing a secure broadcast communication, wherein(i) the key generator side is provided with the steps of:generating confidential information of a receiver in association with a subset inclusive of at least two elements of a first finite set SI on the basis of a space determined by a subset inclusive of at least two elements of a second finite set S2; and distributing said confidential information to the receiver, (ii) the sender side is provided with:generating key distribution data corresponding to each element of said first finite set S1; and making the multi-address transmission of said key distribution data, and (iii) the receiver side is provided with the steps of:storing said confidential information beforehand; and calculating common key information K between the sender and the receiver from the stored confidential information for each receiver and the key distribution data.
 23. A key distribution method for sharing common key information in a limited secure broadcast communication in which a broadcasting station as a sender communicates wits only receivers limited from among a plurality of receivers, wherein(i) the sender side is provided with the steps of:generating confidential information of a receiver in association with a subset inclusive of at least two elements of a finite set S; distributing said confidential information to the receiver; generating key distribution data corresponding to each element of said finite set S; making the multi-address transmission of said key distribution data; generating individual information for each receiver to be transmitted to only said limited receivers; and transmitting said individual information for each limited receiver x, and (ii) the receiver x side is provided with:a step of calculating common key information K between the sender side and the receiver from said confidential information s_(x) for each receiver distributed by said sender side, said key distribution data and said individual information.
 24. A key distribution method according to claim 23, wherein said sender side is further provided with a step of changing said key distribution data to change the value of said common key.
 25. A key distribution method according to claim 23, wherein said receiver x side is provided with a step of for making the authentication for the sender side by use of said confidential information s_(x) in the case where transmit data is onerous indicating that a fee is charged, and said sender side is provided with a step of transmitting said individual information V_(x) if the authentication requested from the receiver side is materialized.
 26. A key distribution method according to claim 22, wherein(i) as a preparatory process,said key generator side is provided with the steps of:generating P_(i), Q_(i) :prime number (1≦i≦m) L_(i) =lcm(ord_(p).sbsb.i (g), ord_(Q).sbsb.i (g)) (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the key generator; generating ##EQU83## as public information of the key generator; storing said confidential information and said public information of said key generator into storage means; acquiring key information of the key generator for σ_(x) .di-elect cons.S and τ_(x) .di-elect cons.T from said storage means to calculate S_(x),τ =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)), satisfying ##EQU84## distributing s_(x),τ as key information of the receiver x, wherein L.sub.σ =lcm (L.sub.σ(1), L.sub.σ(2), . . . , L.sub.σ(k)) (σ.di-elect cons.S); h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m≧K}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as ##EQU85## and a quotient set of S' concerning "˜" is defined as S; and set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M), M≧d}, and (ii) as a key distribution process, (1) the sender side is provided with the steps of:randomly selecting for any receiver x an integer r which satisfies

    0<K=g.sup.r mod N, ##EQU86## calculating

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦M)

as broadcast communication data from the public information of the key generator with the object of possessing K as a common key; and making the multi-address transmission of said broadcast communication data, wherein ##EQU87## and (2) said receiver x side is provided with: a step of calculating the common key K from said broadcast communication data and said confidential information S_(x),τ =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)) of the receiver x distributed by the key generator in accordance with ##EQU88## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; ord_(p) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod p); and min {a₁, a₂, . . . , a_(n) } represents the least value in a₁, a₂, . . . , a_(n) (a_(i) .di-elect cons.Z).
 27. A key distribution method according to claim 22, wherein(i) as a preparatory process, said key generator side is provided with the steps of:generating P_(i), Q_(i) :prime number (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(L₁, L₂, . . . , L_(m)) (1≦i≦n) as confidential information of the key generator;generating N_(i) =P_(i) Q_(i) (1≦i≦m) g_(i) .di-elect cons.Z, 0<g_(i<N) ( 1≦i≦M) ##EQU89## V=(v_(ij)), v_(ij) =g_(i) ^(h) i.sup.(e.sbsp.1.sup., . . . , e.sbsp.n.sup.) mod N (1≦i,j≦M) as public information of the key generator;storing said confidential information and said public information of the key generator into storage means; acquiring key information of the key generator for σ_(x) =(σ_(x),1, . . . , σ_(x),a) .di-elect cons.S, σ'_(x) =(σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T from said storage means to calculate S.sub.σ.sbsb.x =((S.sub.σ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(k)), . . . , (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU90## and distributing s.sub.σ.sbsb.x and ##EQU91## as key information of the receiver x, wherein ##EQU92## (i=1, . . . , a); h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X₂ on Z; for set S'(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . Uσ_(a) (A)=B, M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)) .di-elect cons.S'(M), a relation of ##EQU93## . . . , σ_(a) (A)}={σ'₁ (A), . . . , σ'_(a) (A)} is defined and a quotient set of S'(M) concerning "˜" is defined as S; and a quotient set of m=ad, S'(m) concerning "˜" is defined as T; and (ii) as a key distribution process, (1) the sender side is provided with the steps of:randomly selecting for any receiver x an integer r which satisfies ##EQU94## calculating broadcast communication data

    W=(w.sub.ij), w.sub.ij =v.sub.ij mod N (1≦i≦M)

from the public information of the key generator with the object of possessing K as a common key; and making the multi-address transmission of said broadcast communication data, and (2) said receiver x side is provided with:calculating the common key K from said broadcast communication data and said confidential information s.sub.σ.sbsb.x of the receiver x distributed by the key generator in accordance with ##EQU95## wherein ##EQU96## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 28. A key distribution method according to claim 23, wherein(i) as a preparatory process, said broadcasting station side is provided with the steps of:generating P_(i), Q_(i) :prime number (1≦i≦m) L_(i) =lcm (ord_(p).sbsb.i (g), ord_(Q).sbsb.i (g)) (1≦i≦m) e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n)as confidential information of the broadcasting station; generating ##EQU97## as public information of the broadcasting station; storing said confidential information and said public information into storage means; generating random numbers r' (0<r'<L); acquiring key information of the broadcasting station for σ_(x) .di-elect cons.S and τ.di-elect cons.T from said storage means to calculate S_(x),t =(S_(x),τ(1), S_(x),τ(2), . . . , S_(x),τ(d)), u_(x),τ =(u_(x),τ(1), u_(x),τ(2), . . . , u_(x),τ(d)) satisfying ##EQU98## and distributing s_(x),τ as key information of the receiver x, wherein L.sub.σ =1cm (L.sub.σ(1), L.sub.σ(2), L.sub.σ(k)) (σ.di-elect cons.S); h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S'={f|one-to-one map f:A={1, 2, . . . , k}→B={1, 2, . . . , m}, m≧K}, σ₁, σ₂ .di-elect cons.S', a relation "˜" on S' is defined as ##EQU99## and a quotient set of S' concerning "˜" is defined as S, and set T={f|one-to-one map f:A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}, and (ii) as a key distribution process, (1) said broadcasting station side is provided with the steps of:randomly selecting for any receiver x an integer r (0<r<L) which satisfies

    0<K=g.sup.rr' mod N, ##EQU100##  acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    z.sub.i =v.sub.i.sup.r mod N (1≦i≦M)

with the object of sharing a key K in common with the limited receivers; making the multi-address transmission of z_(i) (1≦i≦M), wherein ##EQU101## and transmitting u_(x),τ =(u_(x),τ(1), u_(x),τ(2), . . . , u_(x),τ(d)) to the limited receivers, and (2) said receiver x side is provided with:a step of calculating the common key K from the broadcast communication data, said confidential information s_(x),τ of the receiver x distributed by the broadcasting station and u_(x),τ in accordance with ##EQU102## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(p) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod p).
 29. A key distribution method according to claim 23, wherein(i) as a preparatory process, said broadcasting station side is provided with the steps of:generating P_(i), Q_(i) :prime number (1≦i≦m) e_(i) .di-elect cons.Z; 0<ei<L=lcm (L₁, L₂, . . . , L_(m)) (1≦i≦n) as confidential information of the broadcasting station; generating ##EQU103## as public information of the broadcasting station; storing said confidential information and said public information of the broadcasting station into storage means; generating random numbers r' (0<r'<L); acquiring key information of the broadcasting station for σ_(x) =(σ_(x),1, . . . , σ_(x),a) .di-elect cons.S, σ'_(x),1, . . . , σ'_(x),a) .di-elect cons.T from said storage means of said broadcasting station side to calculate S.sub.σ.sbsb.x =((Sσ.sbsb.x,1.sub.(1), S.sub.σ.sbsb.x,1.sub.(2), . . . , S.sub.σ.sbsb.x,1.sub.(k)), . . . , (S.sub.σ.sbsb.x,a.sub.(1), S.sub.σ.sbsb.x,a.sub.(2), . . . , S.sub.σ.sbsb.x,a.sub.(k))), u.sub.σ.sbsb.x =((u.sub.σ.sbsb.x,1.sub.(1), u.sub.σ.sbsb.x,1.sub.(2), . . . , u.sub.σ.sbsb.x,1.sub.(k)), . . . , (u.sub.σ.sbsb.x,a.sub.(1), u.sub.σ.sbsb.x,a.sub.(2), . . . , u.sub.σ.sbsb.x,a.sub.(k))) satisfying ##EQU104## and distributing s.sub.σ.sbsb.x and ##EQU105## as key information of the receiver x, wherein ##EQU106## (i=1, . . . , a); h_(i) (X₁, . . . , X_(n)) (1≦i≦M) represents a monomial of X₁, . . . , X_(n) on Z; for set S(M)={σ=(σ₁, . . . , σ_(a))|one-to-one map σ_(i) :A={1, 2, . . . , k}→B={1, 2, . . . , M}(i=1, . . . , a), σ₁ (A) U . . . Uσ_(a) (A)=B, M=ak}, σ=(σ₁, . . . , σ_(a)), σ'=(σ'₁, . . . , σ'_(a)) .di-elect cons.S(M), a relation of ##EQU107## . . . , σ_(a) (A)}={σ'₁ (A), . . . , σ'_(a) (A)} is defined and a quotient set of S(M) concerning "˜" is defined as S; and a quotient set of m=ad, S(m) concerning "˜" is defined as T, and (ii) as a key distribution process, (1) said broadcasting station side is provided with the steps of:randomly selecting for any receiver x an integer r (0<r<L) which satisfies ##EQU108## acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    W=(w.sub.ij), w.sub.ij.sup.r mod N (1≦i,j≦M)

with the object of sharing a key K in common with the limited receivers; making the multi-address transmission of W; and transmitting u.sub.σ.sbsb.x =((u.sub.σ.sbsb.x,1.sub.(1), u.sub.σ.sbsb.x,1.sub.(2), . . . , u.sub.σ.sbsb.x,1.sub.(k)), . . . , (u.sub.σ.sbsb.x,a.sub.(1), u.sub.σ.sbsb.x,a.sub.(2), . . . , u.sub.σ.sbsb.x,a.sub.(k))) to the limited receivers, and (2) said receiver x side is provided with:a step of calculating the common key K from the broadcast communication data, said confidential information s.sub.σ.sbsb.x of the receiver x distributed by the broadcasting station and u.sub.σ.sbsb.x in accordance with ##EQU109## wherein ##EQU110## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 30. A key distribution method according to claim 26, wherein said key generator side is further provided with a step of selecting the key information s_(x),t of the receiver x to satisfy a condition of

    π.sub.x ≠g

for any receiver x.
 31. A key distribution method according to claim 26, wherein said key generator side is further provided with a step of selecting the key information s.sub.σ.sbsb.x of the receiver x to satisfy so that ##EQU111## is satisfied.
 32. A key distribution method according to claim 29, wherein said broadcasting station side is further provided with a step of selecting the key information s.sub.σ.sbsb.x of the receiver x to satisfy so that ##EQU112## is satisfied.
 33. A key distribution method according to claim 28, wherein said broadcasting station side is further provided with a step of changing the value of the common key K by changing the value of r of the common key K=g^(rr') mod N.
 34. A key distribution method according to claim 28, wherein said broadcasting station side is further provided with a step of identifying transmit data by taking the value of r' of the common key K=g^(rr') mod N as a value characteristic of the transmit data.
 35. A key distribution method according to claim 28, wherein the limited receiver x side is provided with a step of making the authentication for the broadcasting station side by use of the confidential information s_(x),τ' and a step of receiving u_(x),τ, after the authentication is made, and wherein the broadcasting station side is provided with a step in which in the case where data P enciphered using the common key K is onerous indicating that a fee is charged, a process for account of a charge for P to the receiver x is performed.
 36. A key distribution method according to claim 28, wherein in the case where the receiver x possesses a storage medium with a computing function having the confidential key s_(x),τ and connects said storage medium to a receiving unit having a higher computing function to calculate the common key ##EQU113## there comprises: a step of performing the calculation of

    ξ.sub.x,τ(i) =z.sub.τ(i).sup.u.sbsp.x,τ(i) mod N (1≦i≦d);

by said receiving unit; a step of outputting ξ_(x')τ(i) ( 1≦i≦d) from said receiving unit to said storage medium; a step of performing the calculation of

    η.sub.x,τ(i)=ξ.sub.x,τ(i).sup.s.sbsp.x,τ(i) mod N (1≦i≦d)

by said storage medium on the basis of information from said receiving unit; a step of outputting η_(x),τ(i) (1≦i≦d) from said storage medium to said receiving unit; and a step of performing the calculation of ##EQU114## by said receiving unit on the basis of information from said storage medium.
 37. A key distribution method according to claim 29, wherein in the case where the receiver x possesses a storage medium with a computing function having the confidential key s.sub.σ.sbsb.x and connects said storage medium to a receiving unit having a higher computing function to calculate the common key K, the transfer of information between said storage medium and said receiving unit is made with a step of performing a calculation using confidential information in said storage medium and a step of performing a calculation using no confidential information in said receiving unit.
 38. A key distribution method according to claim 23, wherein(i) as a preparatory process, said broadcasting station side is provided with the steps of:generating P, Q:prime number e_(i) .di-elect cons.Z, 0<e_(i) <L=lcm(P-1, Q-1) (1≦i≦m)as confidential information of the broadcasting station; generating N=PQas public information of the broadcasting station; storing said confidential information and said public information of the broadcasting station into storage means; generating random numbers r.di-elect cons.Z, π=(π₁, . . . , π_(l)) .di-elect cons.R_(k),n ; acquiring key information of the broadcasting station for σ=(σ1, . . . , σ_(l)) .di-elect cons.Sk,n from said storage means of said broadcasting station side to calculate S_(x), (.sub.π,σ) =(S_(x),π.sbsb.1.sub.(1), . . . , S_(x),π.sbsb.1.sub.(h), . . . , S_(x),π.sbsb.l.sub.(1), . . . , S_(x),π.sbsb.l.sub.(h)), ^(r) _(x), (.sub.π,σ) =(^(r) _(x),π.sbsb.1.sub.(1), . . . , ^(r) _(x),π.sbsb.1.sub.(h), . . . , ^(r) _(x),π.sbsb.l.sub.(1), . . . , ^(r) _(x),π.sbsb.l.sub.(h)) satisfying ##EQU115## and a step of distributing s_(x), (.sub.π,σ) as key information of the receiver x, wherein ##EQU116## when σ=(σ₁, . . . , σ_(l)), σ'₁ =(σ'₁, . . . , σ'_(l)), .di-elect cons.S'_(k),n for n=kl, set R_(k),n ={π=(π₁, . . . , π_(l))|one-to-one map π_(i) :{1, 2, . . . , h}→{1, 2, . . . , m}, (1≦i≦l,1≦h≦m)}, set S'_(k),n ={σ=(σ₁, . . . , σ_(l))|one-to-one map σ_(i) :A{1, 2, . . . , k}→B={1, 2, . . . , n}(1≦i≦l), σ₁ (A) U . . . U σ_(l) (A)=B}, a relation of ##EQU117## is defined in regard to proper permutation τ on a set {1, 2, . . . , l}, "˜" representing an equivalent relation on S'_(k),n and S_(kn) being S_(k),n =S'_(k),n /˜, and (ii) as a key distribution process, (1) said broadcasting station side is provided with the steps of:randomly selecting r.di-elect cons.Z for g_(i) .di-elect cons.Z (0<g_(i) <N, 1≦i≦n=kl) in said storage means of said broadcasting station side; calculating ##EQU118## acquiring the key information of the broadcasting station from said storage means of said broadcasting station side to calculate

    y.sub.ij =u.sub.ij.sup.r mod N (1≦i≦m, 1≦i≦n)

with the object of sharing a key K in common with only the limited receivers; making the multi-address transmission of y_(ij) (1≦i≦m, 1≦j≦n); and transmitting r_(x),(π,σ)=(r_(x),π.sbsb..sub.(1), . . . , r_(x),π.sbsb.1.sub.(h), . . . , r_(x),π.sbsb.l.sub.(1), . . . , r_(x),π.sbsb.l.sub.(h)) to the limited receivers x, and (2) said receiver x side is provided with: a step of calculating the common key K from the broadcast communication data, said confidential information s_(x),(π,σ) of the receiver x distributed by the broadcasting station and r_(x),(π,σ) in accordance with ##EQU119## and wherein Z represents a set of the whole of integers; lcm(a,b) represents the lowest common multiple of integers a and b; and ord_(N) (g) represents the least positive integer x which satisfies g^(x) .tbd.1(mod N) for integers N and g.
 39. A key distribution method according to claim 28, wherein said broadcasting station side is further provided with a step of selecting the key information s_(x),τ of the receiver x to satisfy a condition of

    π.sub.x ≠g

for any receiver x.
 40. A key distribution method according to claim 29, wherein said broadcasting station side is further provided with a step of changing the value of the common key K by changing the value of r of the common key K=g^(rr') mod N.
 41. A key distribution method according to claim 29, wherein said broadcasting station side is further provided with a step of identifying transmit data by taking the value of r' of the common key K=g^(rr') mod N as a value characteristic of the transmit data.
 42. A key distribution method according to claim 29, wherein the limited receiver x side is provided with a step of making the authentication for the broadcasting station side by use of the confidential information s.sub.σx' and a step of receiving u.sub.σx after the authentication is made, and wherein the broadcasting station side is provided with a step in which in the case where data P enciphered using the common key K is onerous indicating that a fee is charged, a process for account of a charge for P to the receiver x is performed. 